Received: by 10.223.185.116 with SMTP id b49csp1172747wrg; Sun, 11 Feb 2018 06:08:31 -0800 (PST) X-Google-Smtp-Source: AH8x227a1PT1Jq8qHzpWi8RVw6KeXvgAUbmR5Bp13Hlr37CxEa5PjHiqsmm7AbPZ6R+blI+jisVV X-Received: by 10.98.232.24 with SMTP id c24mr8732564pfi.227.1518358111827; Sun, 11 Feb 2018 06:08:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518358111; cv=none; d=google.com; s=arc-20160816; b=olDG2oV62rj57ogzUFfmqMH6Jn2+/qSZ8p6/j86+7A2EMA21zjI3Al50FQSoSWyafu 2gGFcnsj9jD4fPB4rJS7m0XKneTtZA6e8BUyO4oBosYcBzfcb1Zt3MKflohIC/1hNpb8 2vclDld1teYD9Q0MnP1F9Xlcjteof2tqppkUEoMaYQs5b6t1uUZv8QQYGnkb0z5Re/2B Y7gcETvvOKEelNNb50Ol9+esYZQlhj6nyMQYMhVxtgJGokuEz76KtBJs0MaJXfTXIbfA TGVyRLhoeq2HfhfNoGPjcpZtXeKGWihUII3S6Ybffl+nYP/V86hwn43sri5CmtRxjYUQ vTXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject :arc-authentication-results; bh=bwgE+vu5ParKuvWHNz8MNHePHBpdK9KPQrLju6FH1i4=; b=zAakAxF7ktxJEFXg4Bjk+V7/wZZM/yaJsF2CYqdY4t9zZvDgWLtK1R3zHUA46pFEKD hZMRWfr138uKwpvP1/tRmY2BLYm7VI3agBXf6+PmfoV1B7mMYfWqMa3qe7k3huosHjHv EKsTbx17Slg/CybeYQOvBCxVmuoA5yyCNE2y5JYfUibhlGK9yy0h1haE6iJVm3Q3riem WEIk0RRAbaAxW4usQ1JB6EH/uT2vKBMUOi+mPUVHxzlTXifYdh8ALeRRdK7nRrj0WX0h VoONkzwap5GjfBi0mOXFze6bFIHf1Me+Bff99z4/2hDZWU9jjrBy/o0pvjpK0OgJ99jj dEXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e12si792250pgf.646.2018.02.11.06.08.15; Sun, 11 Feb 2018 06:08:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753420AbeBKOHg (ORCPT + 99 others); Sun, 11 Feb 2018 09:07:36 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:39616 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753243AbeBKOHe (ORCPT ); Sun, 11 Feb 2018 09:07:34 -0500 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w1BE7XIX104739 for ; Sun, 11 Feb 2018 09:07:34 -0500 Received: from e06smtp13.uk.ibm.com (e06smtp13.uk.ibm.com [195.75.94.109]) by mx0a-001b2d01.pphosted.com with ESMTP id 2g2en4u4pk-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 11 Feb 2018 09:07:33 -0500 Received: from localhost by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sun, 11 Feb 2018 14:07:30 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp13.uk.ibm.com (192.168.101.143) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sun, 11 Feb 2018 14:07:27 -0000 Received: from d06av22.portsmouth.uk.ibm.com (d06av22.portsmouth.uk.ibm.com [9.149.105.58]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w1BE7RbM65011750; Sun, 11 Feb 2018 14:07:27 GMT Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF9674C040; Sun, 11 Feb 2018 14:01:13 +0000 (GMT) Received: from d06av22.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 72C7C4C04A; Sun, 11 Feb 2018 14:01:13 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.80.76]) by d06av22.portsmouth.uk.ibm.com (Postfix) with ESMTP; Sun, 11 Feb 2018 14:01:13 +0000 (GMT) Subject: Re: [GIT PULL] Integrity: IMA FUSE fixes From: Mimi Zohar To: James Morris Cc: linux-kernel@vger.kernel.org, Linus Torvalds Date: Sun, 11 Feb 2018 09:07:26 -0500 In-Reply-To: References: <1518324116.5491.132.camel@linux.vnet.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18021114-0012-0000-0000-000005AD93F6 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18021114-0013-0000-0000-0000192954FC Message-Id: <1518358046.5491.187.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-02-11_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1802110186 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-02-12 at 00:19 +1100, James Morris wrote: > On Sat, 10 Feb 2018, Mimi Zohar wrote: > > Custom policy rules could be defined to disable measurement, > > appraisal, and audit for files on fuse.  However, I don't think we > > want to automatically disable measurement, even meaningless > > measurements.  Some indication needs to be included for remote > > attestation, security analytics, or forensics.  For systems with > > policies that require file signatures even on fuse, the safest thing > > would seem to be to fail the signature verification. > > I don't understand this -- if a file passes signature verification, it > passes. If it was modified and still passes, the problem is elsewhere. > > I don't think the FUSE measurements are inherently useless, or more > useless than any others, at least. You can misconfigure all kinds of > things on a system which would undermine IMA, and I would count allowing > unprivileged use of FUSE with critical files as such. The problem is that fuse can provide whatever it wants, whenever it wants.  It could provide different pages for the initial file hash calculation and then for usage. If the file is first read into a buffer, like for the kernel_read_file_xxx() hooks, then the file data would be the same for the file calculation and usage, but for most of the IMA hooks, the file isn't first read into a buffer. > The point of the patches, IIUC, was that FUSE had no useful way to notify > IMA that a file had changed, so, always measure. IMA assumes that changes > to a running system are made under the control of a correctly enforced > security policy. If you're using FUSE and IMA, then you should understand > the security implications of that. Or am I missing something? That's all true, but I think the intent of these patches was to detect malicious file change, where the fuse filesystem itself is malicious. From the patch description:     It is useful in FUSE because the userspace FUSE process can change the underlying files at any time without notifying the kernel. FUSE can be mounted by unprivileged users either today with fusermount installed with setuid, or soon with the upcoming patches to allow FUSE mounts in a non-init user namespace. That makes the issue more visible than for network filesystems where unprivileged users cannot mount. For the example test provided, re-measuring the file works properly. I had missed that if the fuse filesystem could provide different files, at least in theory, it could also be able to provide different pages. Mimi